DTNS Guest Post: Fallout from Airline Flight System Hack Will Result in Rise of Grumpy Pilots

Hey, it’s that Joe Pilot guy again. It just so happens I’m on reserve again and have a lot of time to write. It also seems like we have more aviation related stories these days, maybe?

I wanted to calm down the worries on this LOT airlines DDoS. Firstly, this is no reflection on your reporting, just wanted to give you a heads up.

Flight planning doesn’t have anything to do with aircraft flying at the time, it is simply the written/printed PLAN for the flight. It’s not uncommon (at least domestically) for these flight plans to change in the cockpit. That’s not to say it is unimportant; they are important because they are a piece of the safety net we employ at every airline to keep something awful from happening. That also doesn’t mean if the flight plan is wrong— or the pilots don’t notice it’s wrong immediately— anything bad will happen, it just means one level of safety is compromised, the threat is trapped and we move on. Airplanes don’t crash because Dispatch misrouted a plane. Pilots don’t blindly follow plans and Air Traffic Control (ATC) doesn’t blindly clear airplanes through bogus routes. Not happening. A hacker wants to try and affect safety that way? Lots of luck buddy. There’s two people up front ready to laugh it off (until the delay comes and then we grind our collective teeth while apologizing to the passengers). Delays will occur. Nothing more. I promise. We’re safe up there with or without dispatch, and even safer if we’re already on the ground.

What does a flight plan mean?
An aircraft dispatcher (not an air traffic controller) creates a flight plan with a specific route the company has identified as appropriate, looking at best planning techniques, standard or preferred routes, weather, etc. This route is created to estimate winds as accurately as possible to give the pilots on the ground the best idea possible of the amount of fuel required. The printouts help the pilot check against what he’s programmed into the onboard computers (FMS-flight management system), and once in air, check against fuel loads en route to ensure they are close to on plan. When ATC changes everything, this plan sometimes goes out the window but there are other procedures for that.

Why would this DDOS attack matter?
The flight plans are created at an Operational Control Center for the airline (OCC or SOC or OC or AOCC) and have to be transmitted out. The system can have a few glitches at this point.

One: the flight plan has to be transmitted to a network so the gate agents or local airport operations can print the flight plan.

Two: The system simultaneously sends the flight plan to Tracon and their Flight Data department. Flight Data (FD) is trying to fix flight plans as they come in. They usually only have a five-minute window but they’ll need about 25 seconds because they kick ass. Then they kick the plans out to the sectors needing the CID strips.

(I forget what CID stands for, but if you’ve ever seen a Netflix documentary on airspace since the you’ve seen them. We’ve had those same stupid little paper strips stacked on ATC desks across America since the 1980s.)

Every time a flight plan is sent, FD does their best to move the strip on or kick it out if it’s junk (which sometimes happens apparently). A good FD department probably kicked out a few of the LOT Polish flight plans the hackers generated but it’s unlikely they figured out exactly what was happening until it was too late, and there’s a possibility the FAA/JAA (Federal Aviation Administration in US Joint Aviation Authorities in Europe) computers were overwhelmed at the same time.

So summary: Airline OCCs, the FAA/JAA computers or the staff might get overwhelmed, but none of these flight plans have made it to the pilots yet. The gate agent or operations staff at the airport for the airline are just confused why there are tens or hundreds of flight plans in their software for LOT Polish flight 001 to JFK or whereever.

And then there’s the delay. Even if LOT Polish sends the flight plan by fax after printing it out, the FAA/JAA has to be called by phone and each flight plan submitted by voice. If there are 100 flights going out that day and OCC responds immediately, you’re going to start losing time because the dispatchers will start getting behind on their planes ETA with each flight plan that must be submitted. It would be MAYHEM.

I had something similar happen when I was an aircraft dispatcher at JFK a decade ago. Except for us, the national power grid went down and JFK was the last sector to receive power some 45-55 hours after the event. It was a brutal couple days of running to the Port Authority General Aviation building across from JAL cargo who still had power (generators) and a working fax machine.

There isn’t a good way to get around this problem, flight planning systems like SABRE (my quick research shows at least some of LOT’s system is based off them) or especially LIDO (a Lufthansa system) are completely integrated airline operational systems which do everything from crew scheduling to flight planning to ticket sales (amazing). If you attack those you’ll probably shut down a whole airline for a day.

BUT BUT BUT, what about the planes in the air?
Nothing. We don’t use those systems in the air. The messaging system (SELCAL / ACARS) is sometimes sent by the company. Other groups, like ARINC or SITA, can get ahold of us too as a backup.

So besides passenger delay what WILL happen?
You’ll get a disgruntled pilot. Here’s why.

The dispatcher can call on a dedicated phone line the airline already pays for and tell them, “Tell LOT flight 26 that the First Officer needs to phone scheduling on the ground for a change to his schedule, the company ACARS is down for a while.”

Then the pilot in the front groans after reading the ACARS message and tells the Captain. If he gets junior manned again into a day off he’ll quit. OK, he won’t quit but he’ll be talking about it 10 years later because he didn’t have that 72 hour layover in NYC like he was bidding for to buy some fake Prada bags for his girlfriend, instead he’ll only get 36 hours and get business class back home or to Denver.

And that’s the worse case. A slightly entitled and disgruntled pilot says something mean about the company to another pilot once every two months for the next ten years.

In other news, malicious hackers suck.

Joe Pilot understands his experience with ATC and dispatch is limited compared to someone who is a working professional in either field. Comments clarifying (or correcting) are welcome but take it easy, I’m not trying to present myself as an authority on all of aviation.